Browser patches also cease next month as service pack is retired

Barring an unforeseen patch in the next four weeks, users running Windows XP Service Pack 2 (SP2) have seen their last security update for Internet Explorer.

Although Microsoft has told Windows XP SP2 users several times this year that it will retire the 2004 operating system on July 13, users may not realize that they will also not receive any Internet Explorer (IE) security updates after that date.

Microsoft confirmed that users running Windows XP SP2 will receive no IE6, IE7 or IE8 patches after July 13. The company said there is no mechanism for offering IE-only patches to people using Windows XP SP2.

"Customers will need to install [Windows] XP SP3 in order to leverage the extended support (which includes security updates), which will run through April 2014," a Microsoft spokeswoman said in an e-mail reply to questions. "There is no differentiation for XP SP2 customers running IE."

The practice of linking browser patches to operating systems' support lifecycles is a longstanding Microsoft policy.

However, it means that users still relying on Windows XP SP2 will be at risk for exploits of any IE vulnerability that Microsoft patches after July 13. According to data from Qualys, about half of all enterprise PCs running Windows XP were still using SP2 as of late last month.

Unless Microsoft releases an emergency IE update in the next 31 days or deviates from its habit of issuing browser updates on alternate months, XP SP2 users have received their last IE patch. Microsoft fixed six IE flaws June 8 during this month's Patch Tuesday. The next IE fix probably won't appear until Aug. 10, after XP SP2 drops out of support.

Microsoft could deliver an "out-of-band" patch before July 13 if an IE vulnerability popped up and the company hustled to craft and release a fix. However, there are no open Microsoft-issued IE security advisories. A bug disclosed last week that can be exploited via IE -- or any other browser -- is not in IE, but in a Windows help component.

To continue to receive IE security updates, users must upgrade to Windows XP SP3, shift to a newer edition of Windows, or manually download the browser updates from Microsoft's site. The latter, however, is not supported: Microsoft links IE updates to specific operating systems editions, and there is no guarantee that one labeled for XP SP3 will work with the older service pack.

Alternately, users can stop using Internet Explorer and turn instead to a rival browser, such as Mozilla's Firefox, Google 's Chrome or Opera Software's Opera.